Field
This field is generally related to network security, and more specifically updating Domain Name System (DNS) blacklist records.
Related Art
A communication network may, for example, allow data to be transferred between two geographically remote locations. To transmit data over a network, the data is often divided into pieces, known as packets or blocks. Each packet or block may have a destination network address, such as an IP address, that indicates a destination of the packet and tells forwarding devices how the packet should be routed. These addresses are often numerical, difficult to remember, and may frequently change.
To identify a destination, domain names are frequently used. Domain names identify a destination host, or server, and may map to a corresponding network address. For example, the domain name www.example.com may map to the network address 93.184.216.119. To map domain names to network addresses, a domain name system (DNS) may be used. DNS may divide the namespace into a hierarchy with different organizations controlling different portions of the hierarchy. In different portions of the hierarchy, different name servers may store resource records that map domain names to network addresses.
To look up a network address from a domain name, DNS may use resolvers that execute a sequence of queries to different name servers. For example, the sequence of queries to resolve www.example.com may start at the root name server, which indicates the address of the name server for .com. Then, the DNS resolver may query the name server for .com for the address of the name server for example.com. Then, the DNS resolver may query the name server for example.com for the address of www.example.com. In practice, so that a resolver does not need to go through the entire sequence for each request, the resolver may cache the addresses of the various name servers. Also in practice, the full query name may be sent to each server, in order to discover an answer if present, or a subdelegation, or a name-not-present condition, opportunistically.
Many new domains are registered every day. But not all domains are registered for legitimate purposes. Some domains are registered for malicious purposes. One malicious purpose is to bring down a network service. Attacks for this purpose may be called denial of service attacks. One example of a denial of service attack is Transport Control Protocol (TCP) SYN flood abuse.
Other network abuses may not be trying to bring down a service, but may instead be making network requests, including application-level requests, for other improper purposes. In these abuses, an automated system may be making application requests that, for example, set up fake user accounts and try to entice a user to devolve confidential information, such as her password, credit card information, or Social Security number, or run other scams. Domains may be registered to support these abuses as well as other types of network abuses including malware, phishing, or spam.
To protect against network abuse, network administrators can configure DNS resolvers to block or redirect lookups to domain names believed to be malicious. For example, Domain Name Service Response Policy Zones (DNS RPZ) provide a mechanism to block or redirect specified domain names lookups.
Services are available that provide updates to RPZ databases. For example, services may provide domain names that are suspected of being malicious. Using the services, the databases may be continuously updated, perhaps once a minute or even once a second. During the updates, the RPZ database, or portion of the database, may be locked, blocking concurrent read requests. If multiple DNS resolvers are trying to access the RPZ database, they all may be blocked. Blocking read requests can slow a DNS resolver's response time when it receives requests to resolve a domain name into an IP address.
Systems and methods are needed to more efficiently update a response policy zone database.